Method and system for providing biometric authentication at a point-of-sale via a moble device

This application claims priority benefit under 35 U.S.C. § 119(e) from provisional application No. 60/806,126, filed Jun. 29, 2006. The 60/806,126 provisional application is incorporated by reference herein, in its entirety, for all purposes.

The disclosed embodiments pertain to a mobile architecture for payment transactions and more specifically, a method and system for providing biometric authentication at a point-of-sale (“POS”).

Current methods for utilizing mobile devices, such as cell phones, to make purchases at POSs typically focus on using stored value accounts for payment and personal identification numbers (“PiNs”) and/or callback confirmation messages in order to validate purchases. For example, MobileLime offers a cell phone payment solution based on “pre-authorization.” A consumer registers with MobileLime by providing a PIN to the MobileLime system via its website. By presenting cash at a participating merchant location or conducting a credit or debit card transaction via the MobileLime website, a consumer can “prepay” a specified amount into a stored value account. Alternatively, a consumer can directly link a credit or debit card to his MobileLime account. When the consumer subsequently visits a participating merchant, he dials the MobileLime number and, using dual-tone multi-frequency (“DTMF”) or interactive voice response (“IVR”), enters his PIN and a merchant identification number (visible at the merchant location or available at the MobileLime website) in order to pre-approve his purchase. When the consumer is ready to complete his purchase, he tells the clerk the last four digits of his cell phone number to consummate the transaction. MobileLime\'s back-end system interfaces with the POS to settle the transaction by deducting the appropriate purchase amount from the consumer\'s account.

The MyTango system functions somewhat similarly. MyTango enables a consumer to design “preorders” via the MyTango website for specific merchants (e.g., restaurant chains, etc.) such that the consumer is able to send a Short Message Service (“SMS”) code for the designed preorder to the MyTango system. The system verifies that the MyTango consumer\'s stored value account contains sufficient funds and transfers the payment to the merchant. The system then forwards the order to the merchant who prepares the order.

Other cell phone payment solutions intended to be used at merchant locations involve technologies using over the air (“OTA”) or contactless interfaces, such as Radio Frequency Identification (“RFID”), Near Field Communication (“NFC”), Bluetooth, or infrared technologies, to transfer data or otherwise communicate with a merchant\'s payment system. Such payment solutions typically require consumers to use specialized mobile devices (e.g., with contactless capabilities) and merchants to employ additional hardware devices (e.g., RFID or NFC readers). For example, DoCoMo requires a participant to use a smartcard-equipped mobile phone (known as a “wallet phone” or “Osaifu-Keitai”). The smartcard, also called an integrated circuit (“IC”) card, enables the mobile phone for contactless payments, as well as other functions. To conduct a purchase, a consumer must first add value to his DoCoMo account, which is stored within the phone via the smartcard. The consumer can do so using the DoCoMo Internet billing application via the phone by entering his password and the amount he wishes to add via the phone\'s interface. Additionally, he can present his mobile phone at a physical location, such as at a POS or an automated kiosk equipped with a contactless reader, and add value by providing cash or credit. Alternatively, a DoCoMo user can associate his smartcard-equipped mobile phone with a DoCoMo credit account, thereby allowing the phone itself to function as a credit card. In all of the foregoing configurations, the consumer can use his mobile phone for payments by waving it in front of a contactless reader at the POS and the consumer\'s DoCoMo account is charged accordingly.

Other mobile payment solutions are less focused on POS transactions. For example, PayPal\'s mobile payment solution enables a cell phone owner to send an SMS message to purchase an item appearing in an advertisement. First, a consumer registers at least one financial account (checking, credit, debit, stored-value, etc.) with PayPal to be used for online or mobile payments. Typically, the consumer sets one financial account as a default for all PayPal payments. When the cell phone owner sees a PayPal icon with an SMS number and product code appearing in an advertisement, he sends an SMS message containing the product code to the number. PayPal immediately calls the cell phone owner and requests that he enter a PIN to confirm the purchase. If the consumer provides the proper PIN, the transaction is billed to his PayPal account.

The aforementioned mobile payment solutions depend upon the proper use of the mobile device involved in the transaction, but do not provide strong authentication of the consumer utilizing it. Solutions requiring pre-authorization or preordering could allow an interceptor to impersonate the cell phone owner at the POS without the device. For example, in the MobileLime system, if an imposter knows or suspects that the cell phone owner has pre-authorized a MobileLime transaction and knows the owner\'s cell phone number, the imposter could offer the last four digits of the cell phone number at the POS and attempt a purchase based on the pre-authorization. Similarly, MyTango does not appear to offer any authentication at the merchant location and an imposter could pick up a preordered meal if he is aware of the cell phone owner\'s preorder.

Some of the foregoing solutions utilize PLNs/passwords to authenticate the cell phone owner. Although such security mechanisms offer some level of authentication, they are weaker or at best equivalent to other payment systems available for POS transactions; therefore, the industry may be hesitant to move towards higher value mobile payment transactions. For example, if a criminal steals the mobile device of a MobileLime user and is able to decipher the PIN, he can use the mobile device as if he were the legitimate owner. Mobile payment solutions that store a consumer\'s financial account information on his mobile device are at even greater risk. For example, a DoCoMo mobile phone stores financial account information on an integrated smartcard, and once a criminal defeats the device\'s security features (if any), he has instant access to the owner\'s financial account.

Some mobile devices are equipped with biometric readers, such as fingerprint sensors, and restrict access via biometric security measures. For example, mHave offers mobile payment services via a mobile phone equipped with a fingerprint sensor. However, as of the date of the disclosure, the typical consumer does not own such a device because they are not commonly available or affordable.

Additionally, mobile payment solutions that require specially equipped mobile devices to communicate with the POS terminal can hinder adoption due to the need for consumers to purchase such specially equipped devices and merchants to purchase hardware infrastructure to support such devices.

Furthermore, many mobile payment solutions do not account for the limitations of mobile devices. Cell phone interfaces offer limited keypad functionality, which can make sending text messages inconvenient, especially during a transaction at a POS. Likewise, DTMF methods typically require the consumer to switch back and forth between listening to the phone and pressing the keypad. IVR solutions in which a PIN is spoken into the cell phone also risk compromise of secret information by eavesdroppers. Such issues can lessen the appeal of mobile payment solutions and thereby limit their adoption.

In contrast to current mobile payment solutions, biometric authentication systems offer merchants a convenient and secure means for POS transactions. For example, the Pay By Touch biometric payment solution allows a consumer to register multiple payment accounts, as well as loyalty account information and other personal and identity-related information, in a central location. A Pay By Touch user can access this information by providing a fingerprint scan at a POS terminal. However, to implement such a system, a merchant\'s POS terminals must be equipped with biometric sensors and the associated operating systems. Regardless of the benefits (e.g., security, convenience, etc.), a merchant may be hesitant to implement such a biometric payment solution due to the cost, time and other resources required for installation.

What is needed is a more strongly authenticated mobile solution that enables secure and convenient payments in a merchant setting without necessitating additional hardware integration at the POS or specially equipped mobile devices. The system of the present invention stores the consumer\'s financial data at a central location, and the consumer can access it via a merchant\'s standard payment terminal to select the desired account. The consumer does not need a special mobile device to participate, nor does the merchant need to install biometric sensors and associated equipment. Thus, the present invention allows for the implementation of a biometric mobile payment system without the necessity of cost-prohibitive equipment.

The present invention utilizes biometric authentication through a mobile device to provide a convenient and secure payment means at a POS. When a consumer desires to make a purchase, he authenticates himself by establishing a call with an identity provider service and providing a voice sample to authenticate himself biometrically as well as based on the textual content of the voice sample (e.g., a password). Thereafter, the authenticated consumer can access his centrally registered information from the identity provider service to conduct a transaction at a POS terminal.

In particular, the disclosures herein teach, in part, a method for enrolling the consumer in such a mobile payment system, wherein the method comprises receiving registration information (including, for example, a mobile phone number) from the consumer through an online connection such as a website, generating an electronic wallet for the consumer containing the registration information, establishing a voice connection with the consumer\'s mobile device (i.e., associated with the mobile phone number), capturing a voice sample from the consumer; and storing the voice sample in association with the mobile phone number for biometric authentication purposes.

Once a consumer is enrolled in the mobile payment system, he is able to initiate payment transactions utilizing his mobile phone. During such a transaction, the mobile payment system as taught herein would receive an initiation request from the consumer\'s mobile phone (e.g., either a voice connection or a text message, etc.) for establishing a voice connection. This results in the receipt of a device identifier (such as, for example and without limitation, the mobile phone number of the mobile device), allowing the mobile payment system to determine if the device identifier corresponds to a registered device identifier (established during the foregoing enrollment process). If so, the mobile payment system can establish a voice connection with the mobile device, receive through the voice connection a voice sample of the consumer associated with the mobile device, compare the voice sample with a registered voice sample associated with the mobile device (again, established during the foregoing enrollment process), convert the voice sample into a text sequence, compare at least a portion of the text sequence with a registered text sequence (also established during the foregoing enrollment process) associated with the mobile device, generate an authorization identifier to be presented by the consumer at a point of transaction; and transmit the authorization identifier to the mobile device.

Upon receiving the authentication identifier through the mobile phone (confirming authentication of the consumer), the consumer is able to conduct a transaction at a merchant point-of-sale terminal through the teachings disclosed herein. In particular, when the consumer interacts with the merchant\'s point-of-sale terminal, the mobile payment system receives a request from the merchant point-of-sale terminal for consumer information (e.g., payment information such a credit card, debit card or checking account numbers, etc.) with the request including the authorization identifier, it matches the authorization identifier with a stored authorization identifier (for example and without limitation, a “staged” transaction as further detailed herein) in order to obtain a consumer identifier associated with the stored authorization identifier, and it transmits stored consumer information (e.g., payment information such as a credit card, debit card, checking account, etc.) associated with the consumer identifier to the merchant point-of-sale terminal, which enables the merchant point-of-sale to authorize the transaction by communicating with a payment processor.